Search results

ISO 22301/20000/27001 integration

ISO 27001, ISO 22301, and ISO 20000 have the same general structure, and this makes integrating them a lot easier. In the integration process you should consider two phases:

1 – Integration of the common parts of ISO management systems, e.g., control of documents, internal audit, management review, etc. These have basically all the same requirements, requiring only minor adjustments to refer to all systems covered.

2 – Implementation of elements that cannot be integrated (basically clauses 6 and 8 of each standard). Regarding ISO 27001, this means including in the organizational process the activities related to information security risk assessment and treatment processes, for ISO 22301 this means including in the organizational process the activities related to business continuity, and for ISO 20000 this means including in the organizational process the activities related to IT services management.

These articles will provide you a further explanation about integrating ISO management systems:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
- ISO 27001 vs. ITIL: Similarities and differences https://advisera.com/27001academy/blog/2016/03/07/iso-27001-vs-itil-similarities-and-differences/
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/

These materials will also help you regarding integrating ISO management systems:
- How to integrate ISO 27001 and IS O 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

ISO 27001 and NIST 800

First, let's understand both NIST and ISO 27001:
- NIST SP-800 series of documents provide detailed information about processes to select and implement controls for computer security
- ISO 27001 provides general requirements for the implementation, operation, control, and improvement of a management system to protect the information, regardless of the environment where it is (e.g., physical reports or digital databases). ISO 27001 provides protection through the selection of security controls described in Annex A, as well other controls that can be added by the organization.  

Considering that, you can use the ISO 27001 to implement the overall approach to protect the information, and after the identification of controls, you can use the NIST documents to implement the details for each control. For example, you can use information from SP 800-53 control for contingency plan testing to implement the Disaster Recovery Plan template.

These articles will provide you a further explanation about ISO 27001 and NIST:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/

Budgeting the EU MDR implementation

Let me see if I understand your question properly. You are asking what is the budget for the implementation of the ISO 13485 and Medical device regulation 2017/745 in your department. Considering the ISO 134b5, we can only state the approximate costs of the documentation toolkit. We do not know the prices of the notified bodies, especially now when the prices with MDR are much higher.

So, on the following link you can see what Documentation toolkit packages we are offering and what each package contains (how much time with the consultant in 1 & 1 meeting, how many e-mails, and how many documents we can review):

• ISO 13485:2016 documentation toolkit https://advisera.com/13485academy/iso-13485-documentation-toolkit/
• ISO 13485:2016 & MDR Integrated Documentation toolkit - https://advisera.com/13485academy/iso-13485-eu-mdr-documentation-toolkit/

At the end of each page, under the title NEED MORE SUPPORT? you will see the packages.

Risk Management and ISMS

1. What is the best way to do risk management?

Regardless of the methodology used (ISO 27001 does not prescribe a methodology to be used, only requirements to be fulfilled, so organizations are free to use the approach that better suits their needs), the best way to do risk management is by involving the people which works directly with the processes and information to be protected, because they are the best source of information to help identify and analyze the risks, and also during daily operations they can provide a faster response in case of new risks arise or incidents occur.

This article will provide you a further explanation about risk management:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk management:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2. How do I raise awareness for information security?

Common approaches for information security awareness are training sessions, the use of newsletters, the use of video tutorials, and meetings between management and staff, which should be performed on a regular basis.

Regarding content, please note that you will have different publics with different interests:

• top management needs to make decisions over issues that many times are not so clear for them, and they do not need deep knowledge about technicalities of security issues (they will be more concerned about how it impacts the business). In these cases, your awareness should be focused on the decisions they need to make.
• technical personnel with operational responsibilities for security needs deep knowledge over technologies, methodologies, and processes, so your awareness should be focused on the procedures and rules they need to follow
• overall personnel needs a basic understanding of security, to properly identify, report, and react to risky situations. In these cases, your awareness should be focused on examples and how to proceed according to the policies and procedures

These articles will provide you a further explanation about awareness:

• What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/
• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
• 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

These materials will also help you regarding awareness:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

3. How to setup an ISMS which is used with excitement? How do I get colleagues all across the organisation to not only understand the necessity, but also the advantages of an ISMS for their daily work?

The most effective ways to set up an ISMS to get the engagement of people are:

• aligning the ISMS objectives to the objectives people have to achieve in their daily business, so they can perceive the new standard can benefit them, help them achieve their business results
• taking employees opinion into account on ISMS related decisions
• being transparent with employees about what the ISMS are going to do and why
• using the ISMS to help them to resolve conflicts of interest with other areas, searching for mutually beneficial solutions

For further information, see:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/

Contingent Worker Definition

I’m assuming that by “contingent workers” you mean outsourced or non-permanent personnel who are hired on a per-project basis (e.g., freelancers, independent contractors, consultants, etc.).

Considering that, and ISO 27000, which defines the vocabulary for information security management systems compliant to ISO 27001, you can use the concept of “outsourced organization”.

For ISO 27000:

• outsource refers to a situation where an external organization performs part of the organization's duties
• organization refers to a person or group of persons with defined responsibilities, authorities, and relations

Please also note that you can also use other terms like contractors, external parties, because they are present in ISO management standards, although there is no formal definition for these terms in ISO glossaries.

Job description according IATF requirement

As you know, job descriptions should be related to the job for which it is responsible. The main issues to be added according to the qualification of the personnel doing the job and the category of the employee are given below.

• The power to stop production should be defined for the employee at each shift.
• When unsuitable products appear or production becomes unstable; actions to be taken; production, quality, etc. should be defined for employees.
• Customer specific-requirements and customer special characteristics tracking should be defined for the relevant employees

As a note; In addition, IATF 16949: 2016, customer-specific requirements and customer special characteristics training should be given to employees.

Who needs ISO?

This decision depends primarily on who is the holder of the product, whose name will be on the product as the manufacturer.

If you are a manufacturer (license), then the manufacturer is expected to have ISO 13485 implemented. According to ISO 13485, when the manufacturer (license holder) outsources any part of the production process, this part of the process is still the manufacturer's responsibility. This means that regardless of the fact that you have outsourced that part of the production, that production must also be carried out in accordance with the requirements of ISO 13485. It doesn't matter if they will be ISO 13485 certified, or if you will make all this documentation as part of your ISO 13485 quality system. It all depends on how you agree. There must be a Quality Agreement between you and that company in which all mutual responsibilities will be described. Be prepared that regardless of your mutual agreement and the fact whether they are certified or not, there is a possibility that during your audit by a certification body, the auditor requires that an audit be conducted in that outsourced company as well. 

For more information on this topic, please see the following article:

• First-, Second- & Third-Party Audits for medical device manufacturers & suppliers - https://advisera.com/13485academy/knowledgebase/first-second-third-party-audits-for-medical-device-manufacturers-suppliers/

You can see how we designed a Quality agreement with the subcontractor in our ISO 13485:2016 Documentation toolkit:

• Quality Agreement for Subcontractor https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/

• List of internal and external documents

  Yes, you need to have the List of internal documents. The purpose of this list is to catalogize all documents that have been created for the management system. It doesn't matter if they are in electronic or paper form. This list tells you which documents are currently in use, which version of that document is currently active, and since when. 

  External documents are all documents that come into your company and are necessary for your work. This usually includes laws and regulations, contracts with suppliers and customers, and similar.

  For more information on this subject, please see the following articles:

  • Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/
  • How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

  • Relation ISO, MDR and CE

    Medical devices that want to be put on the EU market must be prepared according to the requirements from the Medical device regulation (MDR, 2017/745). In this regulation are requirements both how the medical device must be designed, constructed, produced, and tested to prove its safety and performance.

    For all medical device manufacturers, it is mandatory to have implemented a quality management system (Article 10). Also, manufacturers must prove compliance with a list of harmonized standards that are published by the European Commission in the Official Journal (Article 8). There are more than 300 different standards on that list, but the only standard that covers the quality management list is ISO 13485:2016. That is why it is expected for the manufacturers on the EU market to have implemented ISO 13485:2016.

    Besides the quality management system, each medical device must have prepared technical documentation according to Annex 2 and Annex 3 of the MDR. 

    In ISO 13485:2016 there is requirement 7.1 Planning of product realization that asks form the manufacturers to document one or more processes for risk management in the product realization. ISO 14971:2019 is the standard that covers requirements regarding risk management, especially for medical devices.

    The following links are for future readings:

    • Full text of the MDR https://advisera.com/13485academy/mdr/
    • Article 8 – Use of harmonized standards https://advisera.com/13485academy/mdr/use-of-harmonised-standards/
    • EU MDR Article 10 – General obligations of manufacturers https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/
    • EU MDR Annex 2 – Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
    • EU MDR Annex 3 – technical documentation for post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/
    • List of harmonised standards https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC
    • What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
    • How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/
    • EU MDR Checklist of Mandatory Documents https://info.advisera.com/13485academy/free-download/eu-mdr-checklist-of-mandatory-documents

    • ISO 27001 Scope change

      Please note that if all employees are accessing from home the same services and company-owned hardware they accessed when they worked in the company, then the ISMS scope does not need to be changed.

      The use of personal devices to access company’s services and owned hardware from home can be handled by means of identification of relevant risks related to the use of personal devices and to remote access, which can be treated by means of controls such as A.6.2.1 Mobile device policy, A.6.2.2 Teleworking, and A.13.2.1 Information transfer policies and procedures.

      The use of company’s owned hardware by employees from their homes can be handled by means of identification of relevant risks related to telework, which can be treated by means of controls such as A.6.2.1 Mobile device policy, A.6.2.2 Teleworking, and A.11.2.6 Security of equipment and assets off-premises

      To see how policies covering these controls look like, please take a look at these free demos:

      • Bring Your Own Device (BYOD) Policy https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
      • Mobile Device and Teleworking Policy template: https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/

      These articles will provide you a further explanation about teleworking:

      • How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
      • How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
      • What to include in an ISO 27001 remote access policy https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/

      These materials will also help you regarding teleworking:

      • Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home?.
      • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
      • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/